[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)

Arnold Reinhold agr at me.com
Sun Apr 20 16:19:03 EDT 2014 

On Fri, 18 Apr 2014 22:21 Nemo <nemo at self-evident.org> wrote:

...
> Re: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30475
> 
> A C compiler is a compiler for the C language. The C language is, by
> definition, the language described by the C specification. You should
> expect compiler authors to do everything allowed by that specification
> to generate faster code. If you cannot handle the semantics of the C
> language, perhaps C is the wrong language for your task, or for you. Do
> not blame the compiler writers if you don't know the language.
> 
> At any rate, this is the attitude of the GCC developers. It is also the
> attitude of the Clang developers:
> 
> http://goo.gl/FwiO2e
> ...

The events described in the above linked Bugzilla thread regarding Bug 30475, as I read it, is that the GCC team was informed that the GCC complier in its common mode of operation is, without any warning, removing safety checks that have inserted in wide variety of existing programs; that the safety checks were inserted by competent programmers who were unaware of any potential problem with their use; that the safety checks, if left in place, would be functional and could avert serious security lapses; and that it is not feasible to find all the instances of these checks and apply proposed workarounds in a reasonable amount of time and effort. 

The GCC team does not challenge these assertions but instead claims that the C language specifications say that the behavior of the language in these circumstances (signed arithmetic overflow) is undefined, and that they are therefore permitted (not required) to remove the safety checks. They make it clear they have no intention to do anything to eliminate or mitigate the resulting safety issues. While the report stems from 2007, the bug was closed and marked “Resolved as fixed.” on February 16, 2014.

I am not a lawyer, but I remember well the briefing I got before serving on a automation system safety review board.  As I recall the law, everyone has a basic duty of care when made aware of a hazardous situation. Engineers in particular are expected to use reasonable diligence and good judgment in exercising their professional skill. The test for negligence is what a “a reasonable person” would be expected to do in the same circumstance. Here, for example, is how New York State Penal Law §15.05 (http://codes.lp.findlaw.com/nycode/PEN/ONE/B/15/15.05) defines things:

3. "Recklessly." A person acts recklessly with respect to a result or to a circumstance described by a statute defining an offense when he is aware of and consciously disregards a substantial and unjustifiable risk that such result will occur or that such circumstance exists. The risk must be of such nature and degree that disregard thereof constitutes a gross deviation from the standard of conduct that a reasonable person would observe in the situation.  …

4. "Criminal negligence." A person acts with criminal negligence with respect to a result or to a circumstance described by a statute defining an offense when he fails to perceive a substantial and unjustifiable risk that such result will occur or that such circumstance exists. The risk must be of such nature and degree that the failure to perceive it constitutes a gross deviation from the standard of care that a reasonable person would observe in the situation. 

Again I am not a lawyer, but it is hard for me to imagine anything more reckless than allowing a compiler to silently remove safety checks in generated code for any reason, much less the modest performance gains being cited. And if anyone were killed or injured as a result of these checks being removed, this Bugzilla thread alone would be enough to convince me that a substantial and unjustifiable risk had be consciously disregarded. I doubt a lay jury would have more sympathy.

In my opinion, the GNU Project and the developers of GCC would be well advised to get legal advice on their responsibilities and liabilities in this matter. 


Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140420/b62ff19c/attachment.html>

More information about the cryptography mailing list